b'Pension Benefit Guaranty Corporation\n    Office of Inspector General\n             Audit Report\n\n\n\n\n     Fiscal Year 2011 Federal Information\n     Security Management Act (FISMA)\n     Independent Evaluation Report\n\n\n\n\n              May 11, 2012\n                                EVAL-2012-9 / FA-11-82-7\n\x0c                       Pension Benefit Guaranty Corporation\n                                                       Office of Inspector General\n                                       1200 K Street, N.W., Washington, D.C. 20005-4026\n\n\n                                                                              May 11, 2012\n\nTo:            Richard H. Macy\n               Chief Information Officer\n\nFrom:          Joseph A. Marchowsky\n               Assistant Inspector General for Audit\n\nSubject:       Fiscal Year 2011 Federal Information Security Management Act\n               Independent Evaluation Report (EVAL-2012-9 / FA-11-82-7)\n\n\nThis memo transmits the fiscal year (FY) 2011 Federal Information Security Management\nAct (FISMA) independent evaluation report, detailing the results of our independent public\naccountants\xe2\x80\x99 review of the Pension Benefit Guaranty Corporation (PBGC) information\nsecurity program.\n\nAs prescribed by FISMA, the PBGC Inspector General is required to conduct annual\nevaluations of the PBGC security programs and practices, and to report to the Office of\nManagement and Budget (OMB) the results of this evaluation. CliftonLarsonAllen LLP,\nwith PBGC OIG oversight, completed the OMB-required responses that we then submitted\nto OMB on November 15, 2011. This evaluation report provides additional information on\nthe results of CliftonLarsonAllen\xe2\x80\x99s review of the PBGC information security program.\n\nOverall, the auditors determined that PBGC has not established an effective information\nsecurity program and has not been proactive in reviewing security controls and identifying\nareas to strengthen this program. The attached report contains five new FISMA findings\nwith 10 recommendations. In addition, 22 FISMA-related findings with 47\nrecommendations were reported in the Corporation\xe2\x80\x99s FY 2011 internal control report based\non our FY 2011 financial statements audit (AUD-2012-2 /FA-11-82-2). Those findings and\nrecommendations support the two information technology material weaknesses and formed,\nin part, the adverse opinion on internal control.\n\nPBGC\xe2\x80\x99s response to the draft report indicates management\xe2\x80\x99s agreement with 9 of the 10\nrecommendations. PBGC management did not agree with one recommendation related to\nthe eTalk application. In summary, OMB\xe2\x80\x99s FISMA reporting template requested that an\nagency report the number of \xe2\x80\x9cagency operational, FISMA reportable systems.\xe2\x80\x9d PBGC\nincluded eTalk in its count, a system that that was no longer operational and experienced a\ncatastrophic failure on July 21, 2011. PBGC management asserted that only\nretired/decommissioned systems should be removed from the system inventory. PBGC\nmanagement further stated that a major information system or software application that is\ncurrently non-operational should still be maintained on the inventory, its POA&Ms tracked,\nand its security posture identified in FISMA reporting. Management agreed to update\npolicies and procedures to better address when to officially remove a system from the\nFISMA inventory. CliftonLarsonAllen and OIG determined that the catastrophic failure of\n\x0ceTalk was involuntary. We agree that PBGC should continue to track eTalk throughout the\ndisposal process. Nevertheless, eTalk was not functioning at the time of OMB reporting\nand continues to be nonoperational today. Therefore we concluded that eTalk should not\nhave been reported as an \xe2\x80\x9coperational\xe2\x80\x9d system.\n\nWe appreciate the overall cooperation that CliftonLarsonAllen and the OIG received while\nperforming the audit.\n\nAttachment\n\ncc:\n\nVince Snowbarger              Alice Maroni                   Marty Boehm\nLaricke Blanchard             Patricia Kelly\nAnn Orr                       Judith. Starr\n\n\n\n\n                                               2\n\x0c                                                                   CliftonLarsonAllen LLP\n                                                                   www.cliftonlarsonallen.com\n\n\n\n\nMs. Rebecca Anne Batts\nInspector General\nPension Benefit Guaranty Corporation\n1200 K Street, N.W.\nWashington DC 20005-4026\n\nDear Ms. Batts:\n\nWe are pleased to provide the Fiscal Year (FY) 2011 Federal Information Security Management\nAct (FISMA) Independent Evaluation Report, detailing the results of our review of the Pension\nBenefit Guaranty Corporation (PBGC) information security program.\n\nFISMA requires Inspectors General (IG) to conduct annual evaluations of their agency\xe2\x80\x99s\nsecurity programs and practices, and to report to Office of Management and  nd Budget (OMB)\n                                                                                      (\nthe results of their evaluations.. OMB Memorandum M-11-33, \xe2\x80\x9cFY 2011 Reporting Instructions\nfor the Federal Information Se Security\n                                   curity Management Act and Agency Privacy Management\xe2\x80\x9d\n                                                                                Management\nprovides instructions for completing the FISMA evaluation. Evaluations conducted by Offices\n                                                                                      Office\nof Inspector General (OIG) are  e intended to independently assess whether the agencies are\napplying a risk-based approach to their information security programs and the information\nsystems that support the conduct of agency missions and business functions.\n\nCliftonLarsonAllen LLP completed the required responses on behalf of the PBGC OIG. The OIG\nthen reviewed, approved, and submitted tthe responses to OMB on November 15, 2011. This\nevaluation report provides additional information on the results of our review of the PBGC\ninformation security program.\n\nIn preparing required responses on behalf of the OIG\n                                                   OIG, we coordinated with PBGC management\nand appreciate their cooperation in this effort\n                                           effort. PBGC management has provided us with a\nresponse (dated May 10, 2012)) to the draft FISMA 2011 Independent Evaluation Report.\n                                                                               Report\n\n\n\na\nCalverton, Maryland\nMay 11, 2012\n\x0c                                                  TABLE OF CONTENTS\n\n                                                                                                                                Page\n\nI.     EXECUTIVE SUMMARY ....................................................................................................2\n\nII.    BACKGROUND ................................................................................................................. 2\n\nIII.   OBJECTIVES .................................................................................................................... 3\n\nIV.    SCOPE AND METHODOLOGY ......................................................................................... 3\n\nV.     SUMMARY OF CURRENT YEAR TESTING ..................................................................... 4\n\nVI.    FINDINGS AND RECOMMENDATIONS............................................................................ 5\n\nVII. FISMA-RELATED FINDINGS REPORTED IN THE FINANCIAL STATEMENT AUDIT ... 11\n\nVIII. FISMA RECOMMENDATIONS CLOSED IN FISCAL YEAR 2011................................... 19\n\nIX.    PRIOR AND CURRENT YEARS\xe2\x80\x99 OPEN FISMA RECOMMENTDATIONS ...................... 19\n\nX.     MANAGEMENT RESPONSE........................................................................................... 20\n\n\n\n\n       This document was produced for the PBGC Office of Inspector General. It is intended for\n       the information and use of PBGC management and Office of Inspector General and is not\n         intended to be and should not be used by anyone other than these specified parties.\n\x0cI.    EXECUTIVE SUMMARY\n\nTitle III of the E-Government Act (Public Law No. 104-347), also called the Federal Information\nSecurity Management Act (FISMA), requires agencies to adopt a risk-based, life cycle approach\nto improving computer security that includes annual security program reviews, independent\nevaluations by the Inspector General (IG), and reporting to the Office of Management and\nBudget (OMB) and the Congress. It also codifies existing policies and security responsibilities\noutlined in the Computer Security Act of 1987 and the Clinger Cohen Act of 1996.\n\nWe are reporting five (5) FISMA findings with ten (10) recommendations for Fiscal Year (FY)\n2011 based on the results of our FY 2011 independent evaluation. We note that these are the\ntotal of findings and recommendations related to information technology weaknesses. In\naddition to those in this report, twenty-two (22) FISMA-related findings with forty-seven (47)\nrecommendations were reported in the Corporation\xe2\x80\x99s FY 2011 internal control report based on\nour FY 2011 financial statements audit work. Overall, we determined that the Pension Benefit\nCorporation (PBGC) has not established an effective information security program and has not\nbeen proactive in reviewing security controls and identifying areas to strengthen this program.\n\nII.   BACKGROUND\n\nThe Pension Benefit Guaranty Corporation (PBGC) protects the pensions of nearly 44 million\nworkers and retirees in more than 27,000 private defined benefit pension plans. Under Title IV\nof the Employee Retirement Income Security Act of 1974 (ERISA), PBGC insures, subject to\nstatutory limits, pension benefits of participants in covered private defined benefit pension plans\nin the United States. To accomplish its mission and prepare its financial statements, PBGC\nrelies extensively on information technology (IT). Internal controls over these operations are\nessential to ensure the confidentiality, integrity, and availability of critical data while reducing the\nrisk of errors, fraud, and other illegal acts.\n\nPBGC has become increasingly dependent on computerized information systems to execute its\noperations and to process, maintain, and report essential information. As a result, the reliability\nof computerized data and of the systems that process, maintain, and report this data is a major\npriority for PBGC. While the increase in computer interconnectivity has changed the way the\ngovernment does business, it has also increased the risk of loss and misuse of information by\nunauthorized or malicious users. Protecting information systems continues to be one of the most\nimportant challenges facing government organizations today.\n\nThrough FISMA, the U.S. Congress showed its intention to enhance the management and\npromotion of electronic government services and processes. Its goals are to achieve more\nefficient government performance, increase access to government information, and increase\ncitizen participation in government. FISMA also provides a comprehensive framework for\nensuring the effectiveness of security controls over information resources that support federal\noperations and assets. It also codifies existing policies and security responsibilities outlined in\nthe Computer Security Act of 1987 and the Clinger Cohen Act of 1996.\n\nPBGC operates an open and distributed computing environment to facilitate collaboration and\nknowledge sharing, and support its mission of protecting the pensions of nearly 44 million\nworkers and retirees. It faces the challenging task of maintaining this environment, while\nprotecting its critical information assets against malicious use and intrusion.\n\n\n                                                   2\n         This document was produced for the PBGC Office of Inspector General. It is intended for\n         the information and use of PBGC management and Office of Inspector General and is not\n           intended to be and should not be used by anyone other than these specified parties.\n\x0cThe PBGC Office of Inspector General (OIG) contracted with Clifton Gunderson LLP to conduct\nPBGC\'s FY 2011 FISMA Independent Evaluation. We performed this evaluation in conjunction\nwith our review of information security controls required as part of the annual financial statement\naudit.\n\nIII.   OBJECTIVES\n\nThe purposes of this evaluation were to assess the effectiveness of PBGC\'s information security\nprogram and practices and to determine compliance with the requirements of FISMA and\nrelated information security policies, procedures, standards, and guidelines.\n\nIV.    SCOPE & METHODOLOGY\n\nTo perform our review of PBGC\'s security program, we followed a work plan based on the\nfollowing guidance:\n\n       \xe2\x80\xa2 National Institute of Standards and Technology (NIST)\xe2\x80\x99s Recommended Security\n         Controls for Federal Information Systems \xe2\x80\x93 Special Publication (SP) 800-53 for\n         specification of security controls.\n       \xe2\x80\xa2 NIST Special Publication 800-37, Guide for the Security Certification and Accreditation\n         of Federal Information Systems, for certification and accreditation controls.\n       \xe2\x80\xa2 NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal\n         Information Systems, for the assessment of security control effectiveness.\n       \xe2\x80\xa2 Government Accountability Office (GAO)\xe2\x80\x99s Federal Information System Controls Audit\n         Manual (FISCAM: GAO-09-232G), for information technology audit methodology.\n\nThe combination of these methodologies allowed us to meet the requirements of both FISMA\nand the Chief Financial Officer\xe2\x80\x99s Act.\n\nOur procedures included internal and external security reviews of PBGC\'s information\ntechnology (IT) infrastructure; reviewing agency Plans of Action and Milestones (POA&Ms); and\nevaluating the following subset of PBGC\'s major systems:\n\n       \xe2\x80\xa2   Consolidated Financial System (CFS)\n       \xe2\x80\xa2   Premium Accounting System (PAS)\n       \xe2\x80\xa2   Pension and Lump Sum System (PLUS)\n       \xe2\x80\xa2   eTalk\n       \xe2\x80\xa2   TeamConnect\n       \xe2\x80\xa2   Corporate Data Management System (CDMS)\n\nWe performed procedures to test (1) PBGC\xe2\x80\x99s implementation of an entity-wide security plan,\nand (2) operational and technical controls specific to each application such as service continuity,\nlogical access, and change controls. We also performed targeted tests of controls over financial\nand business process applications. We performed our review from April 6, 2011 to September\n30, 2011 at PBGC\'s headquarters in Washington DC. We also performed a security assessment\nof the PLUS application in July 2011 at State Street Corporation in Quincy, Massachusetts.\n\nThis independent evaluation was prepared based on information available as of September 30,\n2011.\n\n                                                      3\n            This document was produced for the PBGC Office of Inspector General. It is intended for\n            the information and use of PBGC management and Office of Inspector General and is not\n              intended to be and should not be used by anyone other than these specified parties.\n\x0cV.   SUMMARY OF CURRENT YEAR TESTING\n\nOur review of IT controls covered general and selected business process application controls.\nGeneral controls are the structure, policies, and procedures that apply to an entity\xe2\x80\x99s overall\ncomputer systems. They include entity-wide security management, access controls,\nconfiguration management, segregation of duties and contingency planning controls. Business\nprocess application controls are those controls over the completeness, accuracy, validity,\nconfidentiality, and availability of transactions and data during application processing.\n\nOur review also included the integration of financial management systems to ensure effective\nand efficient interrelationships. These interrelationships include common data elements,\ncommon transaction processing, consistent internal controls, and transaction entry.\n\nThe slow progress of mitigating PBGC\xe2\x80\x99s systemic security control weaknesses as well as the\nlack of an integrated financial management system posed increasing and substantial risk to\nPBGC\xe2\x80\x99s ability to carry out its mission during FY 2011. The extended time required and the lack\nof meaningful progress in PBGC\xe2\x80\x99s multi-year approach to correct previously reported\ndeficiencies at the root cause level, introduced additional risks. These include technological\nobsolescence, inability to execute corrective actions, breakdown in communications and poor\nmonitoring. As a result, PBGC\xe2\x80\x99s attempt to address entity-wide security management program\ndeficiencies and systemic security control weaknesses at the root cause level had minimal\neffect.\n\nPBGC\xe2\x80\x99s historical decentralized approach to system development and configuration\nmanagement has exacerbated control weaknesses and encouraged inconsistency in\nimplementing strong technical controls and best practices. The influx of 620 plans for over\n800,000 participants from 2002-2005, contributed to PBGC\xe2\x80\x99s disjointed IT development and\nimplementation strategy. The mandate to meet PBGC\xe2\x80\x99s mission objectives by implementing\ntechnologies to receive the influx of plans superseded proper enterprise planning and IT\nsecurity controls. The result was a series of stovepipe solutions built upon unplanned and poorly\nintegrated heterogeneous technologies with varying levels of obsolescence.\n\nThe Corporation continued its implementation of an enterprise multi-year corrective action plan\n(CAP) to address IT security issues at the root cause level. PBGC management realizes these\nweaknesses will continue to pose a threat to its environment for several years while corrective\nactions are being implemented. PBGC needs to implement interim corrective actions to ensure\nfundamental security weaknesses do not worsen as the CAP is being implemented.\n\nPBGC performed a more rigorous and thorough assessment and authorization (A&A) process,\nformerly referred to as a certification and accreditation process. This process identified\nsignificant fundamental security control weaknesses for its general support systems many of\nwhich were reported in prior years\xe2\x80\x99 audits. These weaknesses remain unresolved. PBGC\nreports that the Corporation is in the process of performing A&As on its major applications.\n\nWe continued to find deficiencies in the areas of security management, access controls,\nconfiguration management, and segregation of duties. Control deficiencies were also found in\npolicy administration and the A&As.\n\nOur current year audit work found deficiencies in the areas of security management, access\ncontrols, and configuration management. Control deficiencies were also found in policy\n                                                   4\n         This document was produced for the PBGC Office of Inspector General. It is intended for\n         the information and use of PBGC management and Office of Inspector General and is not\n           intended to be and should not be used by anyone other than these specified parties.\n\x0cadministration, and the certification and accreditation of major applications and contractor\nsystems. An effective entity-wide security management program requires a coherent strategy for\nthe architecture of the IT infrastructure, and the deployment of systems. The implementation of\na coherent strategy provides the basis and foundation for the consistent application of policy,\ncontrols, and best practices. PBGC needs to continue development and implementation of its\nCAP to address its programmatic IT weaknesses. This framework will require time for effective\ncontrol processes to mature.\n\nBased on our findings, we are reporting deficiencies in the following areas for FY 2011:\n       1.   Entity-wide security program planning and management,\n       2.   Access controls and configuration management,\n       3.   Information Technology Controls for The Protection of Privacy,\n       4.   Plan of Action and Milestones (POA&M),\n       5.   Miscellaneous FISMA Controls.\nThe financial internal control findings related to entity-wide security program planning and\nmanagement, access controls and configuration management were reported in the Report on\nInternal Controls Related to the Pension Benefit Guaranty Corporation\xe2\x80\x99s Fiscal Year 2010 and\n2011 Financial Statements Audit (AUD-2012-2 /FA-11-82-2) issued on November 14, 2011. As\na result of our findings, we made recommendations to correct the deficiencies. A table\nsummarizing these findings is in Section VII of this report.\n\nIn addition, our audit also found deficiencies specifically related to responses required by OMB\nMemorandum M-11-33 which are included in this report. These findings and recommendations,\nnot previously reported, are as follows.\n\nVI.   FINDINGS AND RECOMMENDATIONS\n\n1. Entity-wide security program planning and management\n\nThe eTalk application was listed as a major application in the FY 2011 PBGC systems inventory\nand reported as an \xe2\x80\x9cAgency operational, FISMA reportable\xe2\x80\x9d system in PBGC\xe2\x80\x99s November 15,\n2011 submission to OMB. However, it was not available in PBGC\xe2\x80\x99s production environment; the\neTalk application experienced a catastrophic incident on July 21, 2011, and was no longer\noperational. PBGC is currently exploring alternative solutions for a new system.\n\neTalk is a monitoring software/recording system that provides PBGC with the ability to monitor\nand evaluate calls for internal and third-party quality review. eTalk captures/records incoming\nparticipant calls from the Customer Contact Center\'s (CCC) 1-800 number. eTalk Qfiniti was\npurchased as a solution to provide internal quality review and evaluation in order to meet\nPBGC\xe2\x80\x99s performance measures goal to examine and improve the effectiveness of the customer\nservice that PBGC provides. The eTalk system assists PBGC in meeting its strategic plan to\nimprove the federal pension insurance program by providing exceptional customer service to its\nplan participants.\n\nFor FY 2011, OMB Memorandum 11-33 provided Federal agencies with instructions for\nreporting their compliance with FISMA and certain privacy requirements. In the OMB-mandated\nFISMA template, the first question in Section 1 asks each agency to summarize its system\ninventory; specifically:\n\n                                                   5\n         This document was produced for the PBGC Office of Inspector General. It is intended for\n         the information and use of PBGC management and Office of Inspector General and is not\n           intended to be and should not be used by anyone other than these specified parties.\n\x0c       For each of the FIPS 199 system categorized impact levels in this question,\n       provide the total number of Agency operational, FISMA reportable, systems by\n       Agency     component     (i.e.  Bureau     or    Sub-Department    Operating\n       Element). [emphasis supplied]\n\nThis concept of \xe2\x80\x9coperational\xe2\x80\x9d \xe2\x80\x93 commonly called \xe2\x80\x9cavailability\xe2\x80\x9d - is a fundamental component of\ninformation security, as defined in FISMA at 44 U.S.C. \xc2\xa7 3542 and reiterated in the standards\nprescribed in the Federal Information Processing Standards Publication (FIPS Pub) 199\nStandards for Security Categorization of Federal Information and Information Systems:\n\n       (1) The term \xe2\x80\x9cinformation security\xe2\x80\x9d means protecting information and information\n           systems from unauthorized access, use, disclosure, disruption, modification,\n           or destruction in order to provide\xe2\x80\x94\n                                             *     *      *\n           (C availability, which means ensuring timely and reliable access to and use\n               of information.\n\nAs of the November 15, 2011 OMB mandated reporting deadline for agency inventory, eTalk\nhad been off-line for more than three months and remains non-operational as of the date of this\nreport. Therefore, including eTalk in the count of operational systems for FISMA reporting was\nincorrect. Failure to accurately report inventory information to OMB hinders its ability to assess\nthe implementation of security capabilities and measure their effectiveness.\n\nRecommendation:\n\n   o   PBGC should ensure that it answers and provides information to OMB as requested.\n       (OIG Control Number FISMA 11-01)\n\n       Management Response\n\n       o     Response: PBGC disagrees with both the finding and the recommendation. FISMA\n             asks for information on "Operational" systems. However, PBGC believes (and OMB\n             has validated) that this is not a short-term but a long-term meaning. We agree that\n             retired/decommissioned systems should be removed from the system inventory.\n             However, if a major information system or software application is currently non-\n             operational, we believe it should still be maintained on the inventory, its POA&Ms\n             tracked, and its security posture identified in FISMA reporting. In terms of impact of\n             this finding, we see no harm in continuing to classify this system as part of the\n             FISMA inventory, especially since PII data and other security risks may continue to\n             reside in the system. Further, we believe that our reporting to FISMA was accurate\n             and provided useful information to OMB. Nevertheless, we do see a need for our\n             policies to better address when to officially remove a system from the FISMA\n             inventory and we will clarify our procedures to state that this will occur upon\n             retirement and decommissioning.\n\n       Auditor\xe2\x80\x99s Note\n\n             The eTalk system experienced a catastrophic failure on July 21, 2011 and PBGC\n             was unable to reconstitute the system. This event was not a voluntary removal and\n             did not follow an orderly decommissioning process. Accordingly, the eTalk\n                                                     6\n           This document was produced for the PBGC Office of Inspector General. It is intended for\n           the information and use of PBGC management and Office of Inspector General and is not\n             intended to be and should not be used by anyone other than these specified parties.\n\x0c             application was not operational at the reporting date. We agree with PBGC that the\n             agency should continue to track the system during the remainder of the disposal\n             process.\n\n             Major applications require certain minimum security controls, including availability\n             (i.e. operational) as defined in FISMA at 44 U.S.C. \xc2\xa73542 and reiterated in the\n             standards prescribed in the Federal Information Processing Standards Publication\n             (FIPS Pub) 199 Standards for Security Categorization of Federal Information and\n             Information Systems, noted in the finding. We continue to believe that eTalk should\n             not be reported as operational.\n\n2. Privacy\n\nPBGC has not implemented controls to remove all PII in the development environment, and\nencrypt backup tapes containing PII information.\n\nRecommendations:\n\n   o   Remove PII from the development environment. (OIG Control Number FISMA-11-02)\n\n       Management Response\n\n       o     Response: PBGC agrees. We have been discussing the best approach to this and\n             have established a project to develop a data masking strategy to include categories\n             of production data that need obfuscation and the selection of a data obfuscation tool.\n             This is targeted to be completed by October 2012. From this, we plan to begin\n             masking production data in nonproduction environments in FY 13.\n\n   o   Encrypt and secure backup tapes that contain PII. (OIG Control Number FISMA-11-03)\n\n       Management Response\n\n       o     Response: PBGC Agrees. As of December 31, 2011, all tape backups, excluding the\n             legacy services of the Imaging Processing System (IPS), use Advanced Encryption\n             Standard (AES) 256 bit encryption by way of the Symantec NetBackup software. We\n             plan to address encryption of the IPS legacy services by June 2012.\n\nPBGC has not taken necessary steps to protect privacy sensitive information in the Corporate\nData Management System (CDMS) application. Because PBGC has not completed the security\ncategorization of CDMS, it has not determined the minimum security requirements to be\nimplemented for the CDMS application. PBGC also has not conducted a Privacy Impact\nAssessment (PIA) for the system, although CDMS contains PII. Additionally, user access\nrecertification is not performed on a periodic basis and there is no formalized process to ensure\nappropriateness of access to CDMS.\n\nRecommendations:\n\n   o   Complete the security categorization of PBGC information systems. (OIG Control\n       Number FISMA-11-04)\n\n\n                                                     7\n           This document was produced for the PBGC Office of Inspector General. It is intended for\n           the information and use of PBGC management and Office of Inspector General and is not\n             intended to be and should not be used by anyone other than these specified parties.\n\x0c       Management Response\n\n       o     Response: PBGC agrees. It is essential to properly categorize PBGC\'s information\n             systems in order to ensure that the proper authorization boundaries are established\n             in support of the mission, business objectives, and the enterprise architecture; and to\n             ensure that based on the information sensitivity, the appropriate security controls\n             baseline (low, moderate, or high) is selected. PBGC\'s new information security\n             policy, which was published in April 2012, requires that systems undergo security\n             categorization in accordance with FIPS 199 and FIPS 200. In anticipation of this\n             policy and following newly established OIT governance processes, OIT published\n             SE-STD-01-13, PBGC Security Categorization Standard dated December 14,2012\n             that defines the requirements of system categorization. OIT published OIT\n             Information Systems Registration Process dated November 14, 2011 that defines the\n             steps to complete a classification and determination memo, a FIPS 199\n             determination, privacy threshold analysis and privacy impact assessment (if the\n             system contains privacy data). All major information systems that were previously\n             included in the PBGC FISMA inventory have been through the categorization\n             process. Additionally, we now categorize all new subsystems, software applications\n             and tools as they come into the enterprise, following this process. We are continuing\n             to identify and categorize legacy software applications that number in the dozens to\n             ensure that they are properly labeled as major information systems or whether they\n             are subsystems, applications or tools that are contained within an existing major\n             information system boundary.\n\n   o   Implement minimum security requirements to secure the CDMS application. (OIG\n       Control Number FISMA-11-05)\n\n       Management Response\n\n       o     Response: PBGC agrees. We have completed the FIPS-199 Categorization and\n             Classification Determination. The Privacy Impact Assessment is completed. We plan\n             to update the Security Plan as well as internally test security controls and complete\n             vulnerability Scan in April. Annual Account Recertification is targeted to be complete\n             by May, 2012. PBGC will identify an appropriate time for an independent Security\n             Assessment and Authorization based on POA&Ms generated for the above.\n\n   o   Conduct and document a Privacy Impact Assessment for CDMS. (OIG Control Number\n       FISMA-11-06)\n\n       Management Response\n\n       o     Response: PBGC Agrees. The Privacy Impact Assessment was completed April 3,\n             2012.\n\n3. Plan of Action and Milestones (POA&M) (repeated from prior years)\n\nPBGC is still working on the process of consolidating its POA&Ms. The process is not fully\ndeveloped and implemented. PBGC management did not provide us with a copy of the entity\nwide POA&M. Lack of an up-to-date and consolidated POA&M could result in identified security\ndeficiencies not being properly tracked and monitored, and thereby not remediated in a timely\n                                                     8\n           This document was produced for the PBGC Office of Inspector General. It is intended for\n           the information and use of PBGC management and Office of Inspector General and is not\n             intended to be and should not be used by anyone other than these specified parties.\n\x0cmanner. As part of the \xe2\x80\x9cGovernance\xe2\x80\x9d Individual Corrective Action Plan (iCAP), the Chief\nInformation Officer (CIO)\xe2\x80\x99s security program and security processes are being redone with an\nexpected completion date of Fall 2011. PBGC provided the Office of Information Technology\n(OIT)\xe2\x80\x99s initial data call for POA&M items, which are being rolled up and consolidated in order for\nOIT to provide management support, oversight, and advice to the CIO and other PBGC\nmanagement officials regarding residual risk posed by deficiencies in these systems. While\nPBGC has taken initial steps to develop a consolidated POA&M process, more work remains to\nbe done, including developing an entity-wide POA&M. Therefore, this finding continued for FY\n2011.\n\nRecommendations:\n\n   o   Develop, maintain and update PBGC\xe2\x80\x99s entity-wide plan of action and milestones, at least\n       on a quarterly basis, and ensure it includes all entity-wide security deficiencies noted.\n       (OIG Control Number FISMA-09-08)\n\n       Management Response\n\n       o     Response: PBGC agrees and established an Enterprise POA&M last fall. It includes\n             all enterprise-wide security deficiencies that are not captured in system specific\n             POA&Ms. It is updated at least quarterly. PBGC\'s official POA&M Process was\n             officially approved in December, 2011.\n\n   o   Disseminate PBGC\xe2\x80\x99s entity wide POA&M to all responsible parties to ensure corrective\n       actions are taken in accordance with POA&M. (OIG Control Number FISMA-09-09)\n\n       Management Response\n\n       o     Response: PBGC agrees and uses the Enterprise POA&M as a management tool\n             with all responsible parties to track progress on remediating deficiencies.\n\nPBGC\xe2\x80\x99s POA&M process is ineffective. We noted the following deficiencies in FY 2009, FY\n2010 and again in FY 2011:\n      \xe2\x88\x92 No evidence that reports on the progress of security weakness remediation is being\n          provided to the Chief Information Officer (CIO) on a regular basis.\n      \xe2\x88\x92 No evidence that the PBGC CIO centrally tracks, maintains, and independently\n          reviews/validates POA&M activities on at least a quarterly basis.\n\nPBGC Management has started the process of consolidating POA&Ms for PBGC systems,\neducating system owners on the POA&M process and collecting items needed to manage the\nprocess; however, management has not completed the process, including CIO reviews.\nAccording to the PBGC Corrective Action Plan, the CIO\xe2\x80\x99s security program and security\nprocesses are being redone with an expected completion date of Fall 2011. While PBGC has\nimplemented additional processes in FY 2011, such as implementing a process to develop an\nentitywide POA&M, other POA&M process improvements related to consolidating POA&Ms\nacross PBGC are not complete as of August 2011, and therefore were not available for review\nduring this audit period. This finding continued for FY 2011.\n\n\n\n\n                                                     9\n           This document was produced for the PBGC Office of Inspector General. It is intended for\n           the information and use of PBGC management and Office of Inspector General and is not\n             intended to be and should not be used by anyone other than these specified parties.\n\x0cRecommendations:\n\n  o   Ensure that the agency and program specific plan of action and milestones are tracked\n      appropriately and provided to PBGC\xe2\x80\x99s CIO regularly. (OIG Control Number FISMA-09-\n      10)\n\n      Management Response\n\n      o     Response: PBGC agrees. The official procedures were approved in December, 2011\n            and are in the process of being implemented across all major systems and should be\n            fully implemented by July 2012.\n\n  o   Ensure PBGC\xe2\x80\x99s CIO centrally tracks, maintains and independently reviews/validates\n      POA&M activities, at least on a quarterly basis. (OIG Control Number FISMA-09-11)\n\n      Management Response\n\n      o     Response: PBGC agrees. Official POA&M procedures were approved in December,\n            2011 and POA&Ms are currently consolidated and presented to the CIO at least four\n            times each year. We are targeting April 2012 to have all POA&Ms converted to the\n            standard format from the legacy formats that have been used.\n\n\n\n\n                                                    10\n          This document was produced for the PBGC Office of Inspector General. It is intended for\n          the information and use of PBGC management and Office of Inspector General and is not\n            intended to be and should not be used by anyone other than these specified parties.\n\x0c     VII.   FISMA-RELATED FINDINGS REPORTED IN THE FINANCIAL STATEMENT AUDIT\n\n     The following table summarizes FISMA-related findings noted under entity-wide security\n     program planning and management, access controls, and configuration management, that were\n     reported in the Report on Internal Controls Related to the Pension Benefit Guaranty\n     Corporation\xe2\x80\x99s Fiscal Year 2011 and 2010 Financial Statements Audit (AUD-2012-2 /FA-11-82-2)\n     issued November 14, 2011.\n\n                    Finding Summary                                           Recommendation\n1.     Weaknesses in PBGC\xe2\x80\x99s infrastructure               Effectively communicate to key decision makers the\n       design and deployment strategy for                state of PBGC\xe2\x80\x99s IT infrastructure and environment to\n       systems      and     applications    adversely    facilitate the prioritization of resources to address\n       affected its ability to effectively implement     fundamental weaknesses. (OIG Control Number FS-\n       common security controls across its               09-01)\n       systems and applications. Without full\n       development and implementation, security          Document and execute the details of the specific\n       controls are inadequate; responsibilities are     actions needed to complete and confirm the design,\n       unclear, misunderstood, and improperly            implementation, and operating effectiveness of all 130\n       implemented;        and       controls     are    identified common security controls. (OIG Control #\n       inconsistently applied. Such conditions lead      FS-08-01 *Modified)\n       to insufficient protection of sensitive or\n       critical resources or disproportionately high     Develop a process to review and validate reported\n       expenditures for controls.                        progress on the implementation of the common\n                                                         security controls. Implement a strategy to test and\n                                                         document the effectiveness of each new control\n                                                         implemented. (OIG Control Number FS-09-02)\n\n2. PBGC continued the implementation of its              Develop and implement a well-designed security\n   CAP to address fundamental weaknesses in              management program that will provide security to the\n   its entity-wide security program planning and         information and information systems that support the\n   management. During FY 2011, PBGC began                operations and assets of the Corporation, including\n   the implementation of a more rigorous and             those managed by contractors or other Federal\n   thorough A&A process. Through this                    agencies. (OIG Control Number FS-09-03)\n   process,      PBGC      identified  significant\n   fundamental security control weaknesses for           Complete the development and implementation of the\n   its general support systems, many of which            redesign of PBGC\xe2\x80\x99s IT infrastructure and the\n   were reported on in prior years\xe2\x80\x99 audits. While        procurement and implementation of technologies to\n   this is an important step in the planning             support a more coherent approach to providing\n   process, these security control weaknesses            information services and information system\n   remain unresolved and PBGC\xe2\x80\x99s efforts lack             management controls. (OIG Control Number FS-09-\n   sufficient meaningful and incremental                 04)\n   progress. PBGC reports that they are in the\n   process of performing A&As on its major               Implement an effective review process to validate the\n   applications. The slow rate of progress has           completion of the A&A packages for all major\n   introduced      additional    risks  including        applications. The review should not be performed by\n   technological obsolescence, inability to              an individual associated with the performance of the\n   execute corrective actions, breakdown in              A&A, or by someone who could influence the results.\n   communications and poor monitoring.                   This review should be completed for all components of\n                                                         the    work    performed    to   ensure    substantial\n                                                         documentation is available that supports and validates\n                                                        11\n              This document was produced for the PBGC Office of Inspector General. It is intended for\n              the information and use of PBGC management and Office of Inspector General and is not\n                intended to be and should not be used by anyone other than these specified parties.\n\x0c                Finding Summary                                         Recommendation\n                                                      the results obtained. (OIG Control # FS-08-02\n                                                      *Modified)\n\n                                                      Ensure that adequate documentation is maintained\n                                                      which supports, substantiates, and validates all results\n                                                      and conclusions reached in the A&A process for all\n                                                      major applications. (OIG Control # FS-09-05\n                                                      *Modified)\n\n                                                      Establish and implement comprehensive procedures\n                                                      and document the roles and responsibilities that\n                                                      ensure oversight and accountability in the A&A review\n                                                      process for major applications. Retain evidence of\n                                                      oversight reviews and take action to address\n                                                      erroneous or unsupported reports of progress. (OIG\n                                                      Control # FS-09-06 *Modified)\n\n                                                      Maintain an accurate and authoritative inventory list of\n                                                      major applications and general support systems.\n                                                      Ensure the list is disseminated to responsible staff and\n                                                      used consistently throughout PBGC Office of IT (OIT)\n                                                      operations. (OIG Control Number FS-09-07)\n\n                                                      Implement an independent and effective review\n                                                      process to validate the completion of the A&A\n                                                      packages for all major applications. (OIG Control #\n                                                      FS-08-03 *Modified)\n\n                                                      Implement an independent and effective review\n                                                      process to validate the completion of the A&A\n                                                      packages for general support systems hosted on\n                                                      behalf of PBGC by third party processors. The\n                                                      effective review should include examining host and\n                                                      general controls risk assessments. (OIG Control # FS-\n                                                      08-03 *Modified)\n\n3.   Information      security     policies   and Continue to disseminate the awareness of PBGC\xe2\x80\x99s\n     procedures were not fully disseminated and security policies and procedures through adequate\n     implemented. PBGC is not able to training. (OIG Control # FS-07-04 *Modified)\n     effectively enforce compliance for Security\n     Awareness training. PBGC currently has a\n     cumbersome and error-prone manual\n     process to account for personnel who have\n     completed security awareness training. The\n     process is ineffective and limits PBGC\xe2\x80\x99s\n     ability to ensure that all required personnel\n     have completed security awareness\n     training.\n\n                                                     12\n           This document was produced for the PBGC Office of Inspector General. It is intended for\n           the information and use of PBGC management and Office of Inspector General and is not\n             intended to be and should not be used by anyone other than these specified parties.\n\x0c                  Finding Summary                                         Recommendation\n4.   In FY 2010, PBGC\xe2\x80\x99s benefit payments               Develop and implement an immediate plan of action to\n     service     provider   (service     provider)     address the potential security risk posed by locating\n     implemented a security operations center          the SOC outside of the US. (OIG Control # FS-10-01)\n     (SOC) outside of the United States (US),\n     without providing PBGC adequate advance           Review PBGC contracts to ensure contractors are\n     notice. In FY 2011, PBGC completed a risk         required to comply with PBGC information security\n     assessment, but it did not contain adequate       standards and the Federal Information Security\n     evidence to verify and validate the technical     Management Act (FISMA). (OIG Control #FS-10-02)\n     security risks of the SOC. Because the\n     SOC has some responsibility for monitoring        Ensure that adequate controls in the design and\n     security-related events associated with the       implementation of the SOC are in place to protect\n     PLUS application and components of its            PBGC PLUS. (OIG Control Number # FS-11-01)\n     system boundary, it is important PBGC\n     assess risks to its systems and implement\n     mitigating controls to ensure compliance\n     with PBGC\xe2\x80\x99s policies and procedures.\n\n5.   PBGC has not executed interconnection             Develop controls and implement an ISA and MOU with\n     security     agreements      (ISA)    or          all external organizations whose systems connect to\n     memorandums of understanding (MOU)                PBGC\xe2\x80\x99s systems. (OIG Control # FS-10-03\n     between all external organizations whose          *Modified)\n     systems    interconnect   with    PBGC\xe2\x80\x99s\n     systems. Controls to require such\n     agreements do not exist.\n\n     PBGC is in the process of planning and\n     documenting security agreements for\n     interconnection     with    all     external\n     organizations\xe2\x80\x99 systems. In the absence of\n     an ISA and MOU, either party (PBGC or\n     external system owner) may be unfamiliar\n     with the technical requirements of the\n     interconnection and the details that may be\n     required to provide overall security for\n     systems that are interconnected.\n\n6.   PBGC\xe2\x80\x99s configuration management controls          Develop and implement procedures and processes for\n     are labor intensive and ineffective.              the    consistent  implementation      of   common\n     Weaknesses in the design of PBGC\xe2\x80\x99s                configuration management controls to minimize\n     infrastructure and deployment strategy for        security weaknesses in general support systems. (OIG\n     systems and applications created an               Control Number FS-07-07)\n     environment     where strong     technical\n     controls and best practices cannot be             Develop and implement a coherent strategy for\n     effectively   implemented.  Configuration         correcting IT infrastructure deficiencies and a\n     management controls are therefore not             framework for implementing common security controls,\n     consistently implemented across PBGC\xe2\x80\x99s            and mitigating the systemic issues related to access\n     general support systems. PBGC\xe2\x80\x99s three IT          control by strengthening system configurations and\n     environments (development, test, and              user account management for all of PBGC\xe2\x80\x99s\n     production) do not share common server            information systems. (OIG Control Number FS-09-12)\n                                                      13\n            This document was produced for the PBGC Office of Inspector General. It is intended for\n            the information and use of PBGC management and Office of Inspector General and is not\n              intended to be and should not be used by anyone other than these specified parties.\n\x0c                 Finding Summary                                          Recommendation\n     configurations; therefore, management             Establish baseline configuration standards for all of\n     cannot rely on results obtained in the            PBGC\xe2\x80\x99s systems. (OIG Control Number FS-09-13)\n     development or test environments prior to\n     deployment in production. Overall, the            Review configuration settings and document any\n     PBGC environment suffers from inadequate          discrepancies from the PBGC configuration baseline.\n     configuration, roles, privileges, logging,        Develop and implement corrective actions for systems\n     monitoring, file permissions, and operating       that do not meet PBGC\xe2\x80\x99s configuration standards.\n     system access.                                    (OIG Control Number FS-09-14)\n\n                                                       Ensure test, development and production databases\n                                                       are appropriately segregated to protect sensitive\n                                                       information and also fully utilized to increase system\n                                                       performance. (OIG Control Number FS-09-15)\n\n                                                       Establish interim procedures to implement available\n                                                       compensating controls (such as establishing a test\n                                                       team to verify developer changes in production) until a\n                                                       comprehensive solution to adequately segregate test,\n                                                       development and production databases can be\n                                                       implemented. (OIG Control Number FS-09-16)\n\n7.   PBGC\xe2\x80\x99s policies and practices have not Continue to remove unnecessary user and/or generic\n     effectively restricted the addition of accounts. (OIG Control Number FS-07-08)\n     unnecessary and generic accounts to\n     systems in production. Consequently, the\n     number of unnecessary and generic\n     accounts grew over the years. PBGC\n     management has not determined if the\n     removal of all legacy generic accounts\n     would disrupt production activities.\n\n8.   Controls are not consistently implemented         Consistently implement controls to appropriately\n     to appropriately segregate duties and grant       segregate duties and grant rights and privileges\n     rights and privileges commensurate with           commensurate        with  the   job functions   and\n     the job functions and responsibilities. PBGC      responsibilities. (OIG Control Number FS-07-09)\n     does not have a coherent strategy for\n     enforcing segregation of duties through           Assess the risk associated with the lack of segregation\n     strong technical controls in its applications     of duties, password management, and overall\n     and general support systems.                      inadequate system configuration. Discuss risk with\n                                                       system owners and implement compensating controls\n                                                       wherever possible. If compensating controls cannot be\n                                                       implemented the system owner should sign-off\n                                                       indicating risk acceptance. (OIG Control # FS-09-17\n                                                       *Modified)\n\n9.   Some developers have access to the Appropriately restrict developers\xe2\x80\x99 access to production\n     production environment, which exposes environment to only temporary emergency access.\n     PBGC to the risk of unauthorized (OIG Control Number FS-07-10)\n     modification of the application, the\n                                          14\n            This document was produced for the PBGC Office of Inspector General. It is intended for\n            the information and use of PBGC management and Office of Inspector General and is not\n              intended to be and should not be used by anyone other than these specified parties.\n\x0c                Finding Summary                                    Recommendation\n     circumvention of critical controls, and Assess developers\xe2\x80\x99 access to production on all PBGC\n     unnecessary access to sensitive data.   systems and determine if access is required based on\n                                             the security principles \xe2\x80\x9cneed to know and least\n                                             privilege.\xe2\x80\x9d If developers require access to a specific\n                                             application, the reason should be documented and\n                                             management should sign-off indicating acceptance of\n                                             the risk(s). In all other instances developer access to\n                                             production should be immediately removed. (OIG\n                                             Control Number FS-09-18)\n\n10. Controls are not consistently applied to           Consistently apply controls to ensure that\n    ensure that authentication parameters for          authentication parameters for PBGC\xe2\x80\x99s general support\n    general support systems (e.g. Novell,              systems (e.g. Novell, Windows, Sun Solaris, Oracle,\n    Windows, SUN Solaris, Oracle, etc.) and            etc.) and applications are in compliance with the IAH.\n    applications comply with the Information           (OIG Control Number FS-07-11)\n    Assurance Handbook (IAH). PBGC\xe2\x80\x99s\n    decentralized     approach    to    system         Implement a manual review process whereby OIT\n    development         and       configuration        periodically reviews systems for compliance with\n    management has made it particularly                baseline settings. (OIG Control Number FS-09-19)\n    difficult to implement consistent technical\n    controls across PBGC\xe2\x80\x99s many systems,\n    platforms, and applications.\n\n11. PBGC\xe2\x80\x99s       configuration     management          For the remaining systems, apply controls to\n    weaknesses have contributed significantly          remove/disable inactive and dormant accounts after a\n    to its inability to effectively implement          specified period in accordance with the IAH. (OIG\n    controls to ensure the consistent removal          Control # FS-07- 12 *Modified)\n    and locking out of generic or dormant\n    accounts. The lack of controls to\n    remove/disable inactive accounts and\n    dormant     accounts     exposes   PBGC\xe2\x80\x99s\n    systems to exploitation and compromise.\n\n12. The OIT recertification process is                 Complete the implementation of the recertification\n    incomplete and only addresses generic and          process for all user and system accounts. Continue to\n    service accounts; it does not include all          perform annual recertification and include all PBGC\xe2\x80\x99s\n    user and system accounts. In addition, the         accounts (e.g. user, generic, service, and systems\n    Recertification of User Access Process,            accounts) for general support systems and major\n    version 4.0, does not explicitly state that all    applications. (OIG Control Number FS-07-13)\n    accounts (e.g. user, system, and service)\n    across all platforms and applications will be\n    re-certified annually. PBGC\xe2\x80\x99s infrastructure\n    design and configuration management\n    weaknesses have contributed significantly\n    to its inability to effectively implement\n    controls to recertify all user and system\n    accounts.\n\n\n                                                      15\n            This document was produced for the PBGC Office of Inspector General. It is intended for\n            the information and use of PBGC management and Office of Inspector General and is not\n              intended to be and should not be used by anyone other than these specified parties.\n\x0c                 Finding Summary                                         Recommendation\n13. Vulnerabilities found in key databases and         Implement controls to remedy vulnerabilities noted in\n    applications     include     weaknesses       in   key databases and applications such as weaknesses\n    configuration, roles, privileges, auditing, file   in configuration, roles, privileges, auditing, file\n    permissions, and operating system access.          permissions, and operating system access. (OIG\n    These PBGC system vulnerabilities are              Control Number FS-07-14)\n    caused by an ineffective deployment\n    strategy in the development, test, and             Implement controls to remedy weaknesses in the\n    production      environments.       Ineffective    deployment of servers, applications, and databases in\n    system deployments have resulted in an             the development, test, and production environments.\n    environment that is in disarray. Security          (OIG Control Number FS-09-20)\n    control weaknesses and vulnerabilities in\n    key databases remain unresolved. These\n    control weaknesses are scheduled to be\n    corrected in 2013. These weaknesses\n    expose PBGC to increased risk of data\n    modification or deletion. Unauthorized\n    changes could occur and not be detected.\n\n14. Access request authorizations were not             Ensure that adequate documentation of access\n    appropriately documented. PBGC has not             authorization is maintained by implementing proper\n    fully implemented controls to ensure               monitoring and enforcement measures in compliance\n    Enterprise Local Area Network (ELAN)               with approved policies and procedures. (OIG Control\n    forms are properly documented and                  Number FS-07-15)\n    maintained.\n\n15. PBGC lacks an effective process to track           Update and enforce directive PM 05-1, PBGC\n    contractors throughout their employment at         Entrance on Duty and Separation Procedures for\n    PBGC, including appropriate notifications of       Federal and Contract Employees, to ensure contract\n    start dates and separation. PBGC updated           personnel can be tracked effectively. Also, ensure a\n    its directive PM 05-1, PBGC Entrance on            formal Entrance on Duty and Separation Clearance\n    Duty and Separation Procedures for                 process is followed. (OIG Control Number FS-07-16)\n    Federal and Contract Employees, in FY\n    2011 to provide for the effective\n    enforcement of controls designed to track\n    entrance and separation of all Federal and\n    contract     employees.     However,     the\n    implementation PM 05-1 has not reached a\n    level of maturity to test and validate the\n    effectiveness of these controls.\n\n16. Periodic logging and monitoring of security-       Implement a logging and monitoring process for\n    related events for PBGC\xe2\x80\x99s applications             application security-related events and critical system\n    were inadequate Consolidated Financial             modifications (e.g. CFS, PAS, TAS, PRISM, and\n    Systems (CFS), Premium Accounting                  IPVFB). (OIG Control Number FS-07-17)\n    System (PAS), Trust Accounting System\n    (TAS), Participant Records Information\n    Systems Management (PRISM), and\n    Integrated Present Value of Future Benefits\n    (IPVFB) systems. PBGC\xe2\x80\x99s IT infrastructure\n                                                       16\n            This document was produced for the PBGC Office of Inspector General. It is intended for\n            the information and use of PBGC management and Office of Inspector General and is not\n              intended to be and should not be used by anyone other than these specified parties.\n\x0c                Finding Summary                                             Recommendation\n    consists of multiple legacy systems and\n    applications (e.g. PAS, TAS, IPVFB,\n    PRISM, etc.) that do not have a coherent\n    architecture for management and security.\n\n17. The application virtualization/application        Replace the Citrix MetaFrame presentation server.\n    delivery    product   Citrix   MetaFrame          (OIG Control #FS-10-04)\n    Presentation Server used by PBGC\xe2\x80\x99s\n    benefit payments service provider to              Include the application virtualization/application\n    connect to its benefit payments system,           delivery product used by the benefit payments service\n    PLUS, reached its end of life date on             provider to access the PLUS application in the system\n    December 31, 2009. PBGC did not include           boundary. (OIG Control # FS-10-05)\n    the Citrix MetaFrame Presentation Server\n    in the system boundary when conducting\n    the A&A of the PLUS application.\n\n18. Privileged TeamConnect group accounts             Establish unique accounts for each user            in\n    use shared accounts to grant access to            TeamConnect. (OIG Control Number FS-11-02)\n    users. The activity by these privileged users\n    cannot be tracked and/or traced to an             Restrict developer\xe2\x80\x99s access to production. (OIG\n    individual user. Additionally, TeamConnect        Control Number FS-11-03)\n    developers have access to both the\n    development and production system.                Implement a log review process that does not rely on\n                                                      the TeamConnect\xe2\x80\x99s developers reviewing the logs.\n                                                      (OIG Control Number FS-11-04)\n\n                                                      Implement compensating controls for log and review of\n                                                      changes made by powerful shared accounts. (OIG\n                                                      Control Number FS-11-05)\n\n19. An MOU between PBGC and the service               Obtain a contract system representative signature on\n    provider for the PLUS application was             the PLUS MOU or alternatively, develop an\n    executed within PBGC between PBGC                 interconnection security agreement (ISA) between\n    federal employees and not with the service        PBGC and the benefit payments service provider for\n    provider. This MOU is needed to document          the connection. (OIG Control Number FS-11-13)\n    the service provider\xe2\x80\x99s responsibilities and\n    security requirements for PLUS, however, it\n    serves no purpose since the service\n    provider did not sign it. Further, executing\n    the MOU between federal employees and\n    omitting the service provider demonstrates\n    a lack of understanding of the purpose and\n    importance of the agreement.\n\n20. PBGC did not review the service provider Annually review contractor access recertifications for\n    personnel\xe2\x80\x99s access to the PLUS system to the benefit payments service provider employees with\n    ensure the personnel were appropriately access to PLUS. (OIG Control Number FS-11-14)\n    recertified. PBGC relies upon the service\n\n                                                     17\n           This document was produced for the PBGC Office of Inspector General. It is intended for\n           the information and use of PBGC management and Office of Inspector General and is not\n             intended to be and should not be used by anyone other than these specified parties.\n\x0c                 Finding Summary                                            Recommendation\n    provider to test recertification and to assert\n    that individuals have the proper access to\n    the system. PBGC performed no further\n    review to test the service provider\xe2\x80\x99s\n    assertion that user access is appropriate.\n    The risk to PBGC is increased as the\n    service provider\xe2\x80\x99s PLUS users typically\n    have greater access to the PLUS system\n    than users at PBGC.\n\n21. PBGC did not conduct a review of the Review the PLUS contingency plan for compliance\n    PLUS System Contingency Plan until July with NIST SP 800-34 requirements. (OIG Control\n    2011    when      we     requested     the Number FS-11-15)\n    documentation as part of the financial\n    statement audit. Even after receipt of the\n    document, PBGC did not evaluate the\n    scope of the contingency plan nor did\n    PBGC assess the plan\xe2\x80\x99s compliance with\n    NIST SP 800-34 requirements.\n\n22. Our assessment of the information PBGC            Develop and implement a policy to identify and\n    provided as support for assessing the risk        document the risks associated with PBGC operations\n    of operating a SOC in a foreign country           performed in foreign countries, ensure appropriate\n    found that PBGC\xe2\x80\x99s risk assessment was not         management review, and take appropriate actions to\n    adequate. Information relied upon included        mitigate identified risks. (OIG Control Number # FS-\n    a generic overview of connectivity which did      11-16)\n    not demonstrate specifics on encryption\n    end points, protocol filters, source and          For the PLUS SOC operating in a foreign country\n    destination      filters and     intervening      revise the existing risk assessment to identify and\n    infrastructure component locations critical       document risks, and take appropriate actions. (OIG\n    to the analysis of any design investigations.     Control Number # FS-11-17)\n    Further, PBGC did not address the\n    verification of background checks for the\n    employees of the foreign country SOC and\n    PBGC was unable to adequately assess\n    the risks of the SOC implementation.\n\n\n\n\n                                                     18\n           This document was produced for the PBGC Office of Inspector General. It is intended for\n           the information and use of PBGC management and Office of Inspector General and is not\n             intended to be and should not be used by anyone other than these specified parties.\n\x0cVIII. FISMA RECOMMENDATIONS CLOSED IN FISCAL YEAR 2011\n\n        OIG Control Number              Date Closed                     Original Report Number\n        FISMA-10-01                     October 5, 2011                 EVAL 2011-9/FA-10-69-8\n        FISMA-09-07                     October 5, 2011                 AUD-2010-6/FA-09-64-6\n        FISMA-09-12                     October 5, 2011                 AUD-2010-6/FA-09-64-6\n\n\nIX.   PRIOR AND CURRENT YEARS\xe2\x80\x99 OPEN FISMA RECOMMENDATIONS\n\n        OIG Control Number                               Original Report Number\n\n        Prior Year\n        FISMA-09-08                                      AUD-2010-6/FA-09-64-6\n        FISMA-09-09                                      AUD-2010-6/FA-09-64-6\n        FISMA-09-10                                      AUD-2010-6/FA-09-64-6\n        FISMA-09-11                                      AUD-2010-6/FA-09-64-6\n        Current Year\n        FISMA-11-01\n        FISMA-11-02\n        FISMA-11-03\n        FISMA-11-04\n        FISMA-11-05\n        FISMA-11-06\n\n\n\n\n                                                  19\n        This document was produced for the PBGC Office of Inspector General. It is intended for\n        the information and use of PBGC management and Office of Inspector General and is not\n          intended to be and should not be used by anyone other than these specified parties.\n\x0cX.   MANAGEMENT RESPONSE\n\n\n\n\n                                                 20\n       This document was produced for the PBGC Office of Inspector General. It is intended for\n       the information and use of PBGC management and Office of Inspector General and is not\n         intended to be and should not be used by anyone other than these specified parties.\n\x0c                                          21\nThis document was produced for the PBGC Office of Inspector General. It is intended for\nthe information and use of PBGC management and Office of Inspector General and is not\n  intended to be and should not be used by anyone other than these specified parties.\n\x0c                                          22\nThis document was produced for the PBGC Office of Inspector General. It is intended for\nthe information and use of PBGC management and Office of Inspector General and is not\n  intended to be and should not be used by anyone other than these specified parties.\n\x0cIf you want to report or discuss confidentially any instance of misconduct,\n   fraud, waste, abuse, or mismanagement, please contact the Office of\n                             Inspector General.\n\n\n\n                              Telephone:\n                   The Inspector General\xe2\x80\x99s HOTLINE\n                           1-800-303-9737\n\n          The deaf or hard of hearing, dial FRS (800) 877-8339\n           and give the Hotline number to the relay operator.\n\n\n\n                                   Web:\n               http://oig.pbgc.gov/investigation/details.html\n\n\n\n                                Or Write:\n                 Pension Benefit Guaranty Corporation\n                      Office of Inspector General\n                            PO Box 34177\n                    Washington, DC 20043-4177\n\x0c'